[Cryptography] Should cryptanalysis code be in a reference or non-reference implementation?

[Pierre Abbat]

I've written three implementations of Wring and Twistree: in Haskell and Rust, 
which are the reference implementations, and in Julia, which is not. So far 
all the cryptanalysis code is in Haskell, which means that the Haskell package 
has linear S-boxes, fixed rotation, and reduced-round encryption which are used 
only for cryptanalysis and which no one in his right mind would use for 
encrypting or hashing real data. The Rust implementation has linear S-boxes, 
but not fixed rotation or reduced-round encryption. The Julia implementation 
has none of these.

I invented a technique called clutch cryptanalysis (for the car part, not the 
bird litter), which is applicable to ciphers with data-dependent rotations 
such as Wring. So far the results look promising, but I've run into a 
concurrency bug, where I get correct results only if I run it with one thread 
(or in GHCi, which is single-threaded but very slow). I want to run millions 
of reduced-round encryptions and look at the number of bits of rotation, so 
that I can get good statistics. This requires parallelism, which I've gotten 
working in Haskell and Julia, both of which have green threads, but not Rust. 
So I think I'll have to put this cryptanalysis code in the Julia 
implementation.

Those of you who invent ciphers and try to break your own ciphers, where do 
you put the cryptanalysis code?

Pierre
-- 
gau do li'i co'e kei do